iAPP Exchange 2010 deployment

Question

I am trying to deploy 2010 in the following design.
DMZ -&gt; BIG-IP APM will provide secure remote access to CAS&nbsp;
What IP address do you want to use for the BIG-IP APM virtual server? 50.50.50.1&nbsp;
SSL Bridging&nbsp;
sslclient_X&nbsp;
sslServer_x&nbsp;
What is the virtual IP address on the remote BIG-IP system to which you will forward traffic? 10.10.10.1 &nbsp;
Outlook Anywhere not used or clients use basic auth&nbsp;
This work fine. &nbsp;
What is not working is I want to setup the same scenario from our internal network and forward traffic to 10.10.10.1&nbsp;
So I ran the iApp and setup
Internal -&gt; BIG-IP APM will provide secure remote access to CAS &nbsp;
What IP address do you want to use for the BIG-IP APM virtual server? 10.10.10.20&nbsp;
SSL Bridging&nbsp;
sslclient_X&nbsp;
sslServer_x&nbsp;
What is the virtual IP address on the remote BIG-IP system to which you will forward traffic? 10.10.10.1 &nbsp;
Outlook Anywhere not used or clients use basic auth&nbsp;
I get the Secure Logon for F5 Networks, enter my credentials (as before) and it times out "IE cannot display the webpage"
The stats on the pool (vs 10.10.10.1) are not changing. I don't see traffic from 10.10.10.20 to 10.10.10.1 (tcpdump). If I put in the wrong credentials I get an error stating username or password is not correct so I know I get to AD auth. &nbsp;
Any help is greatly appreciated.&nbsp;
jkrum&nbsp;

mikeshimkus_111 · Accepted Answer

The IP address of the CAS should be the actual Client Access servers, not the IP address of the other internal virtual server.&nbsp;

mikeshimkus_111 · Answer

Hi jkrum, &nbsp;
How did you answer the question, Where will your BIG-IP virtual servers be in relation to your Client Access Servers?" in the internal iApp?&nbsp;
Mike&nbsp;

jkrumenacher_13 · Answer

That question is not asked under the deployment scenario "BIG-IP APM will provide secure remote access to CAS"&nbsp;
That is asked under BIG-IP LTM will receive HTTP-based CAS traffic forwarded by a BIG-IP APM.&nbsp;
I might not have been clear enough with what I am trying to do. Today I have run the iApp in our DMZ F5 - using  the deployment scenario "BIG-IP APM will provide secure remote access to CAS" (notes in initial question)&nbsp;
Forwarding traffic to the internal F5 where the deployment scenario is BIG-IP LTM will load balance and optimize CAS traffic. (Here I state they will be on different subnets)&nbsp;
This works. &nbsp;
What I want to do is create another instance of the iApp, just like the DMZ deployment, to hit first and just forward traffic to the internal F5 iApp VS.&nbsp;
We have a custom login form used externally, I am looking to have the displayed when accessing Exchange internally as well. &nbsp;
Does that help clear it up a bit?&nbsp;
Thanks,
jkrum&nbsp;

mikeshimkus_111 · Answer

Just asked around a bit, and it seems that you need an iRule to perform the VIP-targeting-VIP scenario (where a virtual server forwards traffic to another virtual server on the same BIG-IP):  https://devcentral.f5.com/articles/20-lines-or-less-64-vip-to-vip-redirection-url-separation-and-redirect-rewriting.Uzszxfld_0Q&nbsp;
The Exchange iApp doesn't support this. So in your situation, instead of running the "BIG-IP APM will provide secure remote access to CAS" scenario on the internal BIG-IP, you should run "BIG-IP LTM will load balance and optimize CAS traffic" again, but configure the iApp for LTM+APM mode using 10.10.10.20 as the VIP address.&nbsp;

jkrumenacher_13 · Answer

I created another iApp instance as stated above. With the same results.&nbsp;
( At first I read the reply stating "What IP address do you want to use for your virtual servers?" to equal 10.10.10.20 but that errors that "there is a VS already created ...." from the iApp for the internal F5)&nbsp;
BIG-IP LTM will load balance and optimize CAS traffic&nbsp;
Provide secure authentication to CAS HTTP-based services with BIG-IP Access Policy Manager - Yes, provide secure authentication using BIG-IP APM&nbsp;
SSL Bridging &nbsp;
sslclient_X &nbsp;
sslServer_x&nbsp;
Different subnet for BIG-IP VS and CAS&nbsp;
Servers do NOT use BIG-IP as D.G.&nbsp;
Fewer than 6000&nbsp;
use single IP for all connections&nbsp;
All services will be handled by the same set of CAS&nbsp;
use settings recommended by F5&nbsp;
address for your VS = 10.10.10.20
.
.
.
IP address of the CAS 10.10.10.1&nbsp;
jkrum&nbsp;

jkrumenacher_13 · Answer

O.K. I think I was focused on my logic of &nbsp;
DMZ APM --&gt; Internal 2010 iApp --&gt; CAS&nbsp;
internal users --&gt; Internal APM --&gt; Internal 2010 iApp --&gt; CAS&nbsp;
Where as all 2010 logic as with Internal 2010 iApp&nbsp;
Really I should deploy&nbsp;
DMZ APM --&gt; Internal 2010 iApp --&gt; CAS&nbsp;
internal users --&gt;  Internal 2010 iApp2  --&gt; CAS&nbsp;
Where as iApp2 has Yes, provide secure authentication using BIG-IP APM&nbsp;
Let me give that a try.&nbsp;
Thanks again,&nbsp;
jkrum&nbsp;

Forum Discussion

iAPP Exchange 2010 deployment

7 Replies

Recent Discussions

URL

service profile HTTP in LTM v16.1?

iRule resulting in too many redirects

Azure SAML - F5 APM

Converting config to DO

Related Content

Where are F5's archived deployment guides?

F5 BIG-IP deployment with OpenShift - per-application 2-tier deployments

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

Understanding iApps

Spring4shell iApp